Re: [RFC V2] IMA Log Snapshotting Design Proposal

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 28, 2023 at 9:07 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> On Tue, 2023-11-28 at 20:06 -0500, Paul Moore wrote:
> > On Tue, Nov 28, 2023 at 7:09 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> > > On Mon, 2023-11-27 at 17:16 -0500, Paul Moore wrote:
> > > > On Mon, Nov 27, 2023 at 12:08 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> > > > > On Wed, 2023-11-22 at 09:22 -0500, Paul Moore wrote:

...

> > > > > Before defining a new critical-data record, we need to decide whether
> > > > > it is really necessary or if it is redundant.  If we define a new
> > > > > "critical-data" record, can it be defined such that it doesn't require
> > > > > pausing extending the measurement list?  For example, a new simple
> > > > > visual critical-data record could contain the number of records (e.g.
> > > > > <securityfs>/ima/runtime_measurements_count) up to that point.
> > > >
> > > > What if the snapshot_aggregate was a hash of the measurement log
> > > > starting with either the boot_aggregate or the latest
> > > > snapshot_aggregate and ending on the record before the new
> > > > snapshot_aggregate?  The performance impact at snapshot time should be
> > > > minimal as the hash can be incrementally updated as new records are
> > > > added to the measurement list.  While the hash wouldn't capture the
> > > > TPM state, it would allow some crude verification when reassembling
> > > > the log.  If one could bear the cost of a TPM signing operation, the
> > > > log digest could be signed by the TPM.
> > >
> > > Other critical data is calculated, before calling
> > > ima_measure_critical_data(), which adds the record to the measurement
> > > list and extends the TPM PCR.
> > >
> > > Signing the hash shouldn't be an issue if it behaves like other
> > > critical data.
> > >
> > > In addition to the hash, consider including other information in the
> > > new critical data record (e.g. total number of measurement records, the
> > > number of measurements included in the hash, the number of times the
> > > measurement list was trimmed, etc).
> >
> > It would be nice if you could provide an explicit list of what you
> > would want hashed into a snapshot_aggregate record; the above is
> > close, but it is still a little hand-wavy.  I'm just trying to reduce
> > the back-n-forth :)
>
> What is being defined here is the first IMA critical-data record, which
> really requires some thought.

My thinking has always been that taking a hash of the current
measurement log up to the snapshot point would be a nice
snapshot_aggregate measurement, but I'm not heavily invested in that.
To me it is more important that we find something we can all agree on,
perhaps reluctantly, so we can move forward with a solution.

> For ease of review, this new critical-
> data record should be a separate patch set from trimming the
> measurement list.

I see the two as linked, but if you prefer them as separate then so be
it.  Once again, the important part is to move forward with a
solution, I'm not overly bothered if it arrives in multiple pieces
instead of one.

> As I'm sure you're aware, SElinux defines two critical-data records.
> From security/selinux/ima.c:
>
>         ima_measure_critical_data("selinux", "selinux-state",
>                                   state_str, strlen(state_str), false,
>                                   NULL, 0);
>
>         ima_measure_critical_data("selinux", "selinux-policy-hash",
>                                   policy, policy_len, true,
>                                   NULL, 0);

Yep, but there is far more to this than SELinux.

-- 
paul-moore.com

_______________________________________________
kexec mailing list
kexec@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/kexec




[Index of Archives]     [LM Sensors]     [Linux Sound]     [ALSA Users]     [ALSA Devel]     [Linux Audio Users]     [Linux Media]     [Kernel]     [Gimp]     [Yosemite News]     [Linux Media]

  Powered by Linux